Supply Chain Attacks

How attacks on supply chains plant malware and compromise systems undetected.

The SolarWinds attack was both an exceptional attack and a symptom of a larger threat: By penetrating the update mechanisms of the SolarWinds Orion software, attackers were able to compromise thousands of systems. What are supply chain attacks and what can be done to protect against them?

What is a supply chain attack?

While companies continue to better secure their environments, cyber attackers are turning to softer targets. They have found ways to attack that are not only harder to detect, but also more effective at achieving their desired goals.

We are talking about supply chain attacks, which exploit vulnerabilities within the supply chain of a software or hardware product. In supply chain attacks, threat actors integrate malicious modules or components into the product of third-party vendors or suppliers in order to outsmart the security mechanisms of the intended target. This way, cybercriminals do not have to attack the main target directly to gain access to a larger network.

Why supply chain attacks are so devastating

One of the main reasons supply chain attacks are so effective is their stealth. They can go undetected for months or even years, giving attackers enough time to extract confidential data or compromise additional systems. In addition, manufacturing processes – starting with development over production to installation – involve a number of steps, providing attackers with multiple opportunities to embed their own malicious code into the final product.

They usually focus on products that are used by many customers. If an attacker manages to infiltrate just one vendor, they could theoretically gain access to thousands of unprepared users, including technology companies, governments, and security service providers. Supply chain attacks are a risk especially for large software manufacturers, open source projects and hardware suppliers:

With commercial software, attackers can directly insert malicious code to compromise many companies at once.
Open source software is vulnerable because the open nature of the development processes makes it easier for attackers to insert vulnerabilities.
Hardware products can have microchips and other tampered components introduced into the supply chain, potentially compromising many systems around the world.

SolarWinds & Co.: Famous supply chain attacks

The SolarWinds attack of 2020 left a profound impact on the world of cybersecurity: Despite having advanced security measures implemented, around 18,000 downstream customers fell victim to the attack, including large corporations and US government agencies. In the largest supply chain attack to date, cybercriminals managed to install a malware known as Sunburst to insert a backdoor into the network and system environments of the targeted entities.

The attackers penetrated the build process of SolarWinds, where the source code is converted into an executable program. At this stage, the Sunburst Trojan was integrated into an update for the Orion platform. Anyone who installed the update infected their system with the malware. After a two-week waiting period, the Trojan began to communicate with the attackers' command server, which then was able to read out data, monitor network activity and install additional malicious code.

Attackers used similar tactics at the IT solutions provider Kaseya, where the REvil ransomware infected MSP software, triggering ransom demands of 70 million US dollars. Another example is the attack on the code coverage system Codecov, where malicious code was inserted into the bash uploader, enabling data theft.

Best practices against supply chain attacks

Updated software asset inventory

An up-to-date list of all software products allows potential security risks to be tracked.

Security assessment of vendors

Keeping up to date with vendors' security measures will help evaluate their security.

Continuous vendor assessment

The risk posed by vendors should be reviewed regularly, as their security status can change over time.

Client-side protection tools

Filtering downloaded content can identify and block malicious code.

Endpoint Detection and Response (EDR)

EDR systems can protect endpoints from attacks and stop those.

Secure build and update structure

Security patches should be installed regularly and only trusted tools should be used.

Security standards for software updates

Secure update procedures should be integrated as part of the development process.

Incident response process

A clear plan provides the foundation for responding appropriately to security incidents and informing all stakeholders.

How TISAX can protect the automotive industry

TISAX® (Trusted Information Security Assessment Exchange) is a standard developed specifically for information security in the automotive industry. Its aim is to ensure data security in the entire supply chain and to minimize the risk of supply chain attacks by means of standardized security assessments, regular audits, employee training and the clear communication of security requirements.

And while TISAX® was primarily developed for the automotive industry, the principles can also benefit other industries that require a secure supply chain. After all, it is evident that supply chain attacks are here to stay. The increasing interconnectivity and digitalization of our world will provide cybercriminals with only more opportunities.
Companies should therefore always take a proactive approach to make sure they will not be the next victim.

Learn more about our cybersecurity services for your supply chain

When it comes to your cybersecurity, there is no one-size-fits-all solution. That's why we offer you a flexible range of services – tailored to your individual needs and requirements.